Motor Mouth: Ransomware is the future of car theft

Imagine hackers remotely locking you out of your own car and holding it for ransom. It could very well be the next big thing in auto theft

by
David Booth | April 22, 2016

Small

Medium

Large

Imagine you car has been stolen. It’s brand new, you’ve barely made your third payment and it’s your first luxury car, a Mercedes or BMW with all the bells and whistles. You held onto the old Taurus until the fenders almost rusted off, got pre-approved credit at the bank and cross-shopped online so assiduously that you could probably start writing for Driving.ca.

Now it’s gone, the thrust of that turbocharged engine – more power and better fuel economy, promised the salesperson – no longer making the daily commute at least a little entertaining. In fact, how are you going to get to work this morning? And, damn, I think the kid left her homework in the back seat. Crap, Bob’s coming back from his business trip tonight: How will I pick him up? Now, here’s the final insult, the kicker that makes you feel just that much more helpless: Your car is still in the driveway.

It’s called ransomware and it could well be the future of car theft. Already the scourge of computer servers, small businesses and now hospitals, security experts, the FBI and even Interpol are predicting that automotive ransom is the next big thing in auto theft.

Here’s how it works: “Black hat” hackers — that’s the bad kind — install a worm that disables people’s most precious files. Then they let them stew helplessly for a couple of hours, so that, when they finally send a malicious little email demanding money in return for control of the hard drive, the ransom demand is almost welcomed.

RELATED

The average amount extorted, according to experts, is about $500. But when you consider Forbes magazine estimates that just one “exploit” — Locky, which scrambles and renames all your important files — tries to extort as many as 90,000 victims around the world each and every day, you get an idea of how widespread ransomware already is. Now, throw in the ubiquity of bitcoin — its untraceable nature is blamed for encouraging ransomware exploits around the globe — and then target industries with products notoriously lax in cyber-security. Like, say, cars.

It might be the easiest money a high-tech gangsta will ever make. Think about it — it’s the perfect crime. The thief gets the payout of holding something valuable for ransom, yet never has to take possession of it. Why bother with all the fuss of actually stealing a car when “virtual” theft is so much easier and more profitable?

Even the most enterprising car thief is going to have a hard time “liberating” more than two or three Benzes a day, what with the plotting required, waiting around for the “target“ to be isolated and, perhaps most time-consuming of all, disposing of two tons of steel and leather.

Not all car infotainment systems are created equal.

On the other hand, how many emails can an ambitious cyber-thief pump out? Once a specific operating system has been compromised, it’s comparatively simple to repeat the same exploit over and over again. And although there have been no cases of mass automotive ransoms yet, it would appear to be a case of when, not if. Corey Thuen of Digital Bond Labs told Forbes that any American taking advantage of Progressive Insurance’s discounts for “safe” driving is vulnerable to getting hacked. According to Thuen, the company’s Snapshot “dongle” — a cellular-equipped device that plugs into a car’s onboard diagnostic port to relay your driving habits back to Progressive — has “basically no security technologies whatsoever,” making more than two million Progressive clients vulnerable to anything from auto theft to “road carnage.”

And that’s not even the worst-case scenario! What if some particularly diabolical crypto-nerd was to infect all cars of a certain model and then hold the manufacturer for ransom? Andy Rowland, head of Customer Innovation, Energy, Resources and Automotive at BT Technology posited just such a doomsday scenario to idgconnect.com, noting the “infection” could start in any number of seemingly innocent ways: a compromised app that drivers download, “a batch of components with embedded malware” not detected on the production line, or by giving USBs to franchised workshops so that malware “gets onto diagnostic PCs, which then infect all of the vehicles brought in for servicing.”

RELATED

In fact, hacks of the not-so-distant future could prove even more widespread. According to William Largent, a researcher at Talos Security Intelligence and Research Group, “the age of self-propagating ransomware, or ‘cryptoworms,’ is right around the corner.” Completely self-sufficient, once a cryptoworm gains access to a system, it can navigate through a network semi-autonomously, determining how to best invade other subsystems without programmer input.

In other words, skillful hackers, if they could get access to one car’s central nervous system, might be able to design malware that infects any car connected to it. Now factor in the fact that the future of automotive safety is supposed to be vehicle-to-vehicle communication (V2V), which requires all cars be connected to one another via Dedicated Short Range Communication — a form of short-range Wi-Fi — and you have the recipe for an automotive apocalypse.

The new Model S can go 240 miles per charge and from zero to 60 in 5.2 seconds.

Think such a doomsday scenario is a little too far-fetched? Think again. “Until cars equipped with V2V are available and we can determine the strength of their security systems,” says Stephen Cobb, a senior security researcher at ESET, an Internet security company, “we won’t know that such exploits can’t be done.” He goes on to note that “so far, the auto industry doesn’t have a good record of building in protection before technology gets compromised; it’s always, ‘Let’s see what happens.’”

Small comfort if you’re staring at a $70,000 Mercedes-Benz “bricked” in your driveway until you fork over the required ransom — with no guarantee it won’t happen again next week.

Vehicular cyber-attacks could be terrorism’s next frontier

Although most current hacking is still plain, ordinary extortion, the possibilities of cyber-attacks as terrorism is still a clear and present danger. In fact, just last week, John Carlin, U.S. Assistant Attorney General for national security, told the Society of Automotive Engineers’ 2016 World Congress that “if you were able to do something that could affect a large scale of an industry – like 100,000 cars – you could see that being in the arsenal of a nation-state’s tool kit as a new form of warfare.” In other words, the fact that Fiat Chrysler sat on a security flaw in its Jeeps – that Charlie Miller and Chris Valasek famously exposed for Wired magazine – is now a security problem. And when Leonid Bershidsky, a Berlin-based Bloomberg View columnist, says “not worrying about car hacking is like living with a ‘12345’ email password,” we’re looking at something more serious than just a couple of offshore accounts being exposed or naked selfies being passed around.